Five structural parallels with GDPR
Extraterritorial scope by market
GDPR reached every non-EU data controller or processor handling EU data subjects. The EAA reaches every non-EU service provider delivering covered services to EU consumers. Same extraterritorial logic, different trigger (data subject vs consumer interface).
Decentralised national enforcement
GDPR handed enforcement to national Data Protection Authorities under a One-Stop-Shop mechanism. The EAA hands enforcement to national competent authorities designated under each member state’s transposition law, with no central regulator. Same fragmentation, same mapping exercise.
Cascading flow-down through contracts
GDPR cascaded from data controller to data processor to sub-processor through Article 28 agreements. The EAA cascades from regulated service provider to IT vendor to sub-supplier through accessibility clauses in MSAs and DPAs. Same contractual mechanism.
Documented accountability as the operational core
GDPR Article 5(2) made the controller responsible for demonstrating compliance — the accountability principle. The EAA similarly requires economic operators to maintain documented self-assessments available to market surveillance authorities on request. Same “keep the file, produce on request” logic.
Industry overreaction followed by settling into routine
GDPR in 2017–2018 spawned an industry of panic consultants, certification vendors and cookie banner plugins. The core work was: map your data flows, publish a privacy notice, draft standard contract clauses, refresh annually. The EAA is following the same curve. The core work is: assess your service against 17 criteria, publish the statement, refresh annually. Same structure.
Three differences you need to know
Technical standard
GDPR relied on “appropriate technical and organisational measures” — deliberately loose. The EAA points to EN 301 549 V3.2.1 incorporating WCAG 2.1 Level AA, which is specific and testable.
Document format
GDPR’s core vendor document is the Data Processing Agreement with Standard Contractual Clauses. The EAA’s core vendor document is an accessibility statement following the European harmonised model of Commission Implementing Decision (EU) 2018/1523, adapted to the scope of Directive (EU) 2019/882 — a different instrument with a different structure.
No certification scheme yet
GDPR has approved certification mechanisms under Article 42. The EAA does not yet have an equivalent certification scheme, so self-assessment under the harmonised format is the baseline output.
What’s in the 9-page PDF the playbook plugs into
Cover page
Global compliance score, country-specific enforcement data, unique verification reference (EAA-XXXXXXXX).
Service owner identification, scope and evaluation method
Under the European harmonised model — Commission Implementing Decision (EU) 2018/1523.
Compliance status + criterion-by-criterion evaluation
All 17 WCAG 2.1 AA criteria with Yes / Partial / No / N/A across Perceivable, Operable, Understandable, Robust.
Official W3C remediation guidance
Per failed or partial criterion, extracted from “Understanding WCAG 2.1” — real fixes, not generic advice.
Non-accessible content declaration
Under Annex V, Directive 2019/882.
Feedback mechanism and enforcement procedure
Competent national authority for your service country, applicable national transposition law, exact fine range.
Legal basis
Directive (EU) 2019/882, the European harmonised model of Decision (EU) 2018/1523 (adapted to the scope of Directive 2019/882) and EN 301 549 V3.2.1.
Enforcement reality — the fines are already landing
Fine upheld by the Audiencia Nacional Contentious-Administrative Chamber Section 8 in February 2024 (sanction originally imposed October 2020), plus a six-month ban on concurring in proceedings for the granting of official aid.
Fine after a CERMI complaint. CENTAC and OADI technical reports confirmed failure to meet WCAG Level AA.
Four supermarket giants summoned before the Tribunal Judiciaire de Paris on 12 November 2025 by ApiDV and Droit Pluriel.
Civil penalty for deceptive overlay claims, final consent order 22 April 2025 (Docket C-4817). Overlays are not a legal defence in the US or the EU.
“Free templates exist. Why pay €149?”
| Alternative | Cost | What you actually get |
|---|---|---|
| Manual accessibility audit (BarrierBreak, Deque, Level Access) | €4,000 – €8,000 | Thorough, 3-week lead time — right for third-party audit demands, overkill for cascade documentation |
| Annual SaaS compliance subscription | €500 – €2,000 / year | Recurring cost, US-focused format |
| Accessibility overlay (legally discredited) | €490 – €1,990 / year | Not a defence in US or EU. FTC penalised accessiBe $1M. |
| EAA-Report | €149, one-time | 9-page PDF, 15 min, European harmonised model adapted to Directive 2019/882 — pack pricing for portfolios |
Portfolio pricing for 10+ reports
For large European customer portfolios requiring 10, 20, 50 or more accessibility statements, we offer pack pricing with volume discounts. Tell us the size of your cascade and we'll reply within one business day.
Request Portfolio PricingFrequently asked questions
Is the European Accessibility Act legally structured the same way as GDPR?
Does my GDPR Data Processing Agreement cover EAA requirements automatically?
If I handled the GDPR cascade in 2018, how much of my playbook is reusable?
Will EAA enforcement ramp up on the GDPR timeline (first year quiet, then aggressive)?
For a portfolio of 40+ European enterprise customers, what is the realistic timeline to complete the cascade?
Is this a certified third-party audit?
⚠️ Important notice: EAA-Report is a structured self-assessment tool, not legal advice and not an overlay. All enforcement cases cited are sourced from identified public documentation.